How to Set Up Traefik as a Reverse Proxy and Load Balancer on Raspberry Pi
When running multiple services on your Raspberry Pi, managing ports gets messy fast. Traefik acts as a reverse proxy that automatically discovers Docker containers and routes traffic by hostname. It also handles load balancing and can provision Let's Encrypt SSL certificates automatically.
Prerequisites
- A Raspberry Pi (Pi 4 recommended) running Raspberry Pi OS
- Docker and Docker Compose installed (see our Docker setup guide)
- SSH access to your Pi
- A domain name pointed at your Pi (required for SSL, optional for local use)
Step 1: Create the Traefik Static Configuration
Start by creating the project directory: mkdir -p ~/traefik && cd ~/traefik
Create ~/traefik/traefik.yml:
api:
dashboard: true
insecure: true
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
log:
level: "INFO"
Setting exposedByDefault: false means containers must opt in to Traefik routing via labels.
Step 2: Create the Docker Compose File
services:
traefik:
image: traefik:v3.3
container_name: traefik
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`traefik.local`)"
- "traefik.http.routers.dashboard.service=api@internal"
whoami:
image: traefik/whoami
container_name: whoami
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.local`)"
- "traefik.http.routers.whoami.entrypoints=web"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
The traefik/whoami image is a tiny service that returns request info -- perfect for testing.
Step 3: Launch the Stack
touch ~/traefik/acme.json && chmod 600 ~/traefik/acme.json
cd ~/traefik && docker compose up -d
Verify with docker compose ps.
Step 4: Access the Dashboard
The Traefik dashboard runs on port 8080. Open http:// followed by your Pi's IP and :8080 in your browser to see routers, services, and middleware.
Step 5: Test the Whoami Service
Send a request with the correct Host header:
curl -H "Host: whoami.local" http://YOUR_PI_IP
For browser access, add your Pi's IP to your local /etc/hosts file:
192.168.1.100 whoami.local traefik.local
Step 6: Add Let's Encrypt SSL
To enable automatic HTTPS, add a certificatesResolvers block and HTTP redirect to ~/traefik/traefik.yml. Add these sections alongside the existing config:
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
certificatesResolvers:
letsencrypt:
acme:
email: your-email@example.com
storage: /acme.json
httpChallenge:
entryPoint: web
Then update the whoami labels in docker-compose.yml to use the websecure entrypoint and the resolver:
- "traefik.http.routers.whoami.rule=Host(`whoami.yourdomain.com`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
Restart: cd ~/traefik && docker compose down && docker compose up -d
Troubleshooting
- Dashboard not loading on 8080: Ensure the container is running with
docker compose psand nothing else uses that port. - 404 on routed services: Verify the Host rule matches exactly. Check the dashboard for registered routers.
- SSL certificate not issued: Ensure DNS points to your Pi's public IP, port 80 is forwarded, and
acme.jsonhas600permissions. - Services not appearing: Confirm
traefik.enable=trueis set as a label on the container.
Conclusion
Traefik provides automated traffic routing across all your Raspberry Pi services. With Docker labels and automatic Let's Encrypt SSL, you get a production-ready reverse proxy on minimal hardware.